0

I'm building a chat and having a feature with cloud translation API, for each client I create a new API Key to been able to identify the consume usage of each client, the problem is the following:

I want to see the consume of all API Keys inside a project, something like the Operations Logging:

Example of Operations logging

But revealing information of the timestamp and the API Key name use so I can be able to track each client usage of the service and determine how much I am going to bill them.

Update

Doing some additional research come up to this article which gives a walkthrough to gain visibility on Service Account Keys (similar but not what I needed). On this guide they create a Log Sink to push logs into BigQuery.

The problem now is that the filter used to extract the logs is the following:

logName:"projects/<PROJECT>/logs/cloudaudit.googleapis.com" 
protoPayload.authenticationInfo.serviceAccountKeyName:"*"

The second line extract log that belongs to Service Account Key Name. But as it was stated at the beginning of the question I'm looking for the API Key log not the service account key.

Galinbro
  • 3
  • 4
  • 2
    The features is called "Data Access Audit Logs". This must be enabled and generates a large amount of logging information that is billed ($0.50/GiB). AFAIK, only IAM user activity is logged, API Keys are not logged. I think there are possibly better design choices such as creating your own service that calls Translate, uses Google OAuth for authorization and your service stores user activity in a database. API Keys are legacy and have security issues. – John Hanley Jan 20 '21 at 16:56
  • Sorry for being late to the party - just had almost same use case. It's possible to check for apikey usage in metrics of the API. It's harder to implement that way, but still possible. There is possibility to group data by apikey. Example: `https://console.cloud.google.com/apis/api/compute.googleapis.com/metrics?project=...` – Mr.TK Nov 24 '22 at 05:54

1 Answers1

0

You can use Cloud Audit logs 1 , Cloud Audit Logs provides the following audit logs for each Cloud project, folder, and organization:

-Admin Activity audit logs

-Data Access audit logs

-System Event audit logs

-Policy Denied audit logs

Google Cloud services write audit log entries to these logs to help you answer the questions of "who did what, where, and when?" within your Google Cloud resources.

For this scenario it could be helpful Data Access audit logs 2, it contains API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data. Data Access audit logs do not record the data-access operations on resources that are publicly shared (available to All Users or All Authenticated Users) or that can be accessed without logging into Google Cloud.

As mentioned in the previous comment, this logs are disabled by default because they can be quite large; they must be explicitly enabled to be written.

However, the simplest way to view your API metrics is to use the Google Cloud Console's API Dashboard 3. You can see an overview of all your API usage, or you can drill down to your usage of a specific API.

Airus
  • 35
  • 4
  • 1
    1) Does Data Access Audit Logs record API Key Activity? 2) Does the Console API Dashboard display API usage by API Key? – John Hanley Jan 20 '21 at 21:45
  • As mention by John Hanley, Data Access Audit Logs and API Dashboard doesn't seems to display the specific usage per key(displays information per service). So how could you enable data-access operations logs on API key resource @GabrielTorres ? – Galinbro Jan 22 '21 at 16:44